Date: Thu, 28 Jul 2005 13:40:32 -0700 (PDT) From: Dave McCammon <davemac11@yahoo.com> To: "Gary W. Swearingen" <garys@opusnet.com>, freebsd-questions@freebsd.org Subject: Re: Can someone clarify ipfw's in/out/recv/xmit/via concepts? Message-ID: <20050728204032.71440.qmail@web32812.mail.mud.yahoo.com> In-Reply-To: <3tll3tystl.l3t@mail.opusnet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--- "Gary W. Swearingen" <garys@opusnet.com> wrote:
> I see in another msg that I'm not the only one
> scratching my head over
> the ipfw manpage's explanation of
> in/out/recv/xmit/via concepts. I've
> spent many hours reading that manpage and working on
> my rc.firewall
> (and it seems to work OK, based on the logging), but
> I can't figure
> out what it's trying to tell me, even with that nice
> ASCII art.
>
> (I hope your replies will help me get some
> clarifications into the
> manpage.)
>
> ^ to upper layers v
> | |
> +----------->-----------+
> ^ v
> [ip_input] [ip_output]
> net.inet.ip.fw.enable=1
> | |
> ^ v
> [ether_demux] [ether_output_frame]
> net.link.ether.ipfw=1
> | |
> +-->--[bdg_forward]-->--+
> net.link.ether.bridge_ipfw=1
> ^ v
> | to devices |
> + +
>
> FROM BOTH TO BOTH
> NICS? NICS?
>
> Here's a pic of my firewall:
>
> +------------------------------+
> | +-------------------------+ |
> | | KERNEL | |
> | +-------------------------+ |
> | | | | | |
> | v ^ v ^ |
> | | | | | |
> | +-----+ +-----+ |
> | | NIC | FW | NIC | |
> | +-----+ +-----+ |
> | | | | | |
> +------------------------------+
> | | | |
> v ^ v ^
> | | | |
>
> WAN LAN
>
> The manpage says we have incoming and outgoing
> packets.
> In and out of what? NIC or kernel or ipfw or
> computer?
>
> The manpage describes:
> recv | xmit | via {ifX | if* | ipno | any}
>
> Is my "de0" an "ifX" or an "if*"?
> ("exact name" or "device name")
>
> What would be an example of the other?
>
> Does "ipno" mean an numerical Internet address?
> (It's not mentioned elsewhere in the manpage.)
>
> Does each of my NICs have both of the manpage's xmit
> and recv
> interfaces, or is one an xmit and one a recv for any
> one packet rule?
>
> If an incoming packet can be associated with an xmit
> interface, why
> can't an outgoing packet be associated with a recv
> interface?
>
> P.S.
>
> It seems that some people do their blocking of
> packets
> going from LAN to WAN "on" (so to speak) the LAN
> interface, some on
> the WAN interface, and some on both. It doesn't
> seem to make much
> difference on a pure firewall, except for
> rule-writing convenience.
> Right?
>
> I suppose it would be best to put blocks everywhere
> possible
> or at least "where" the packets enter the computer.
> Right?
>
> Help!!
>
>
Here is a link to a thread that help me to understand
the in/out/recv/xmit stuff.
http://groups-beta.google.com/group/comp.unix.bsd.freebsd.misc/tree/browse_frm/thread/240d22a55265689/4bb2dd91a376fa6c?rnum=1&hl=en&_done=%2Fgroup%2Fcomp.unix.bsd.freebsd.misc%2Fbrowse_frm%2Fthread%2F240d22a55265689%2F2c14cdd252d01ff2%3Fhl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26rnum%3D4%26prev%3D%2Fgroups%3Fq%3Dipfw%2Bout%2Brecv%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26selm%3D3B5E86C8.8438BEE7%2540amit.cz%26rnum%3D4%26#doc_8d3d7ceea76d1cca
ok kind of long ...do a search in google groups using-
Why is there a "out recv" interface spec in ipfw?
____________________________________________________
Start your day with Yahoo! - make it your home page
http://www.yahoo.com/r/hs
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050728204032.71440.qmail>