From owner-freebsd-questions@FreeBSD.ORG Sun Feb 29 17:26:13 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4575116A4F0 for ; Sun, 29 Feb 2004 17:26:13 -0800 (PST) Received: from smtp04.wxs.nl (smtp04.wxs.nl [195.121.6.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id 078C043D1D for ; Sun, 29 Feb 2004 17:26:13 -0800 (PST) (envelope-from freebsd@akruijff.dds.nl) Received: from kruij557.speed.planet.nl (ipd50a97ba.speed.planet.nl [213.10.151.186])18questions@freebsd.org; Mon, 01 Mar 2004 02:29:54 +0100 (MET) Received: from alex.lan (localhost [127.0.0.1]) by kruij557.speed.planet.nl (8.12.10/8.12.10) with ESMTP id i211PV5N069986; Mon, 01 Mar 2004 02:25:32 +0100 Received: (from akruijff@localhost) by alex.lan (8.12.10/8.12.10/Submit) id i211PU0O069985; Mon, 01 Mar 2004 02:25:30 +0100 Content-return: prohibited Date: Mon, 01 Mar 2004 02:25:30 +0100 From: Alex de Kruijff In-reply-to: <40426EAD.50004@ste-land.com> To: "Shaun T. Erickson" Message-id: <20040301012530.GH42000@alex.lan> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.4.2.1i References: <40426EAD.50004@ste-land.com> X-Authentication-warning: alex.lan: akruijff set sender to freebsd@akruijff.dds.nl using -f cc: questions@freebsd.org Subject: Re: ipfw ruleset traversal question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Mar 2004 01:26:13 -0000 On Sun, Feb 29, 2004 at 05:58:53PM -0500, Shaun T. Erickson wrote: > I'm trying to port my linux netfilter/iptables firewall to 5.2.1-RESLEASE. > > Iptables has the concept of "chains". There are three defined by the > system: INPUT, FORWARD & OUTPUT. Packets coming into the system that are > destined for a local process traverse the INPUT chain only, packet > generated by the system, and leaving it, traverse the OUTPUT chain only, > and packets that are simply passing through the system traverse the > FORWARD chain only. One nice benefit of this, is that inbound packets > don't have to traverse rules for outbound packets and vice-versa. This > allows efficient grouping of rules and reduces the performance hit of > packets having to be checked by all rules. > > How can I set up my ipfw ruleset so that I can achieve that same benefit? IPFW has one list of rules (with option to select in/out) that result in the behavure as you describe. I have a example on my home page where i select incomming and outging package. Forward is a action just like, skipto, reject, allow and deny are. See man ipfw for more info. -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/