From owner-freebsd-questions@FreeBSD.ORG Thu Jul 28 20:40:33 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 66D0E16A41F for ; Thu, 28 Jul 2005 20:40:33 +0000 (GMT) (envelope-from davemac11@yahoo.com) Received: from web32812.mail.mud.yahoo.com (web32812.mail.mud.yahoo.com [68.142.206.42]) by mx1.FreeBSD.org (Postfix) with SMTP id 0FFD743D46 for ; Thu, 28 Jul 2005 20:40:32 +0000 (GMT) (envelope-from davemac11@yahoo.com) Received: (qmail 71442 invoked by uid 60001); 28 Jul 2005 20:40:32 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=ThngE0oYxHdpoTHwO51uSP10j3q/1iQQuyY7AhN9Vyhai1c5kuIQ1LDCwdUgyBvfxLxClXzcogZTQKFX+h+5Y7QDR30uGUtJhC9PMfEw2V43kHQBjhzu4zrOeT62YSgoHIiZZYG4sWrQuIU3B+fsGFN9wQcPf/2drn700Zee+x8= ; Message-ID: <20050728204032.71440.qmail@web32812.mail.mud.yahoo.com> Received: from [168.91.4.66] by web32812.mail.mud.yahoo.com via HTTP; Thu, 28 Jul 2005 13:40:32 PDT Date: Thu, 28 Jul 2005 13:40:32 -0700 (PDT) From: Dave McCammon To: "Gary W. Swearingen" , freebsd-questions@freebsd.org In-Reply-To: <3tll3tystl.l3t@mail.opusnet.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: Re: Can someone clarify ipfw's in/out/recv/xmit/via concepts? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2005 20:40:33 -0000 --- "Gary W. Swearingen" wrote: > I see in another msg that I'm not the only one > scratching my head over > the ipfw manpage's explanation of > in/out/recv/xmit/via concepts. I've > spent many hours reading that manpage and working on > my rc.firewall > (and it seems to work OK, based on the logging), but > I can't figure > out what it's trying to tell me, even with that nice > ASCII art. > > (I hope your replies will help me get some > clarifications into the > manpage.) > > ^ to upper layers v > | | > +----------->-----------+ > ^ v > [ip_input] [ip_output] > net.inet.ip.fw.enable=1 > | | > ^ v > [ether_demux] [ether_output_frame] > net.link.ether.ipfw=1 > | | > +-->--[bdg_forward]-->--+ > net.link.ether.bridge_ipfw=1 > ^ v > | to devices | > + + > > FROM BOTH TO BOTH > NICS? NICS? > > Here's a pic of my firewall: > > +------------------------------+ > | +-------------------------+ | > | | KERNEL | | > | +-------------------------+ | > | | | | | | > | v ^ v ^ | > | | | | | | > | +-----+ +-----+ | > | | NIC | FW | NIC | | > | +-----+ +-----+ | > | | | | | | > +------------------------------+ > | | | | > v ^ v ^ > | | | | > > WAN LAN > > The manpage says we have incoming and outgoing > packets. > In and out of what? NIC or kernel or ipfw or > computer? > > The manpage describes: > recv | xmit | via {ifX | if* | ipno | any} > > Is my "de0" an "ifX" or an "if*"? > ("exact name" or "device name") > > What would be an example of the other? > > Does "ipno" mean an numerical Internet address? > (It's not mentioned elsewhere in the manpage.) > > Does each of my NICs have both of the manpage's xmit > and recv > interfaces, or is one an xmit and one a recv for any > one packet rule? > > If an incoming packet can be associated with an xmit > interface, why > can't an outgoing packet be associated with a recv > interface? > > P.S. > > It seems that some people do their blocking of > packets > going from LAN to WAN "on" (so to speak) the LAN > interface, some on > the WAN interface, and some on both. It doesn't > seem to make much > difference on a pure firewall, except for > rule-writing convenience. > Right? > > I suppose it would be best to put blocks everywhere > possible > or at least "where" the packets enter the computer. > Right? > > Help!! > > Here is a link to a thread that help me to understand the in/out/recv/xmit stuff. http://groups-beta.google.com/group/comp.unix.bsd.freebsd.misc/tree/browse_frm/thread/240d22a55265689/4bb2dd91a376fa6c?rnum=1&hl=en&_done=%2Fgroup%2Fcomp.unix.bsd.freebsd.misc%2Fbrowse_frm%2Fthread%2F240d22a55265689%2F2c14cdd252d01ff2%3Fhl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26rnum%3D4%26prev%3D%2Fgroups%3Fq%3Dipfw%2Bout%2Brecv%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26selm%3D3B5E86C8.8438BEE7%2540amit.cz%26rnum%3D4%26#doc_8d3d7ceea76d1cca ok kind of long ...do a search in google groups using- Why is there a "out recv" interface spec in ipfw? ____________________________________________________ Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs