From owner-freebsd-questions@FreeBSD.ORG  Sun Feb 29 14:58:55 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F0DB916A4CE
	for <questions@freebsd.org>; Sun, 29 Feb 2004 14:58:55 -0800 (PST)
Received: from spock.ste-land.com (spock.ste-land.com [64.32.179.40])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A997D43D31
	for <questions@freebsd.org>; Sun, 29 Feb 2004 14:58:55 -0800 (PST)
	(envelope-from ste@ste-land.com)
Received: from ste-land.com (bgp377940bgs.plnfld01.nj.comcast.net
	[68.36.5.198])
	by spock.ste-land.com (Postfix) with ESMTP id C18DF2D24C
	for <questions@freebsd.org>; Sun, 29 Feb 2004 17:58:54 -0500 (EST)
Message-ID: <40426EAD.50004@ste-land.com>
Date: Sun, 29 Feb 2004 17:58:53 -0500
From: "Shaun T. Erickson" <ste@ste-land.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
	rv:1.4b) Gecko/20030507
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: questions@freebsd.org
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: ipfw ruleset traversal question
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Feb 2004 22:58:56 -0000

I'm trying to port my linux netfilter/iptables firewall to 5.2.1-RESLEASE.

Iptables has the concept of "chains". There are three defined by the 
system: INPUT, FORWARD & OUTPUT. Packets coming into the system that are 
destined for a local process traverse the INPUT chain only, packet 
generated by the system, and leaving it, traverse the OUTPUT chain only, 
and packets that are simply passing through the system traverse the 
FORWARD chain only. One nice benefit of this, is that inbound packets 
don't have to traverse rules for outbound packets and vice-versa. This 
allows efficient grouping of rules and reduces the performance hit of 
packets having to be checked by all rules.

How can I set up my ipfw ruleset so that I can achieve that same benefit?

TIA

	-ste