Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 4 Nov 2001 00:58:08 -0600 (CST)
From:      Anatoly Karp <karp@math.wisc.edu>
To:        ryan@sasknow.com
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: [Q] why does this ipfw rule not match?
Message-ID:  <200111040658.AAA22079@erdos.math.wisc.edu>
In-Reply-To: <Pine.BSF.4.21.0111040035390.66878-100000@ren.sasknow.com> (message from Ryan Thompson on Sun, 4 Nov 2001 00:40:18 -0600 (CST))
References:   <Pine.BSF.4.21.0111040035390.66878-100000@ren.sasknow.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
>>>>> "Ryan" == Ryan Thompson <ryan@sasknow.com> writes:

    Ryan> Anatoly Karp wrote to freebsd-questions@FreeBSD.ORG:
<snip>
    >> my-host:~# ipfw show 
    00100 341566 269400058 allow ip from any to any via lo0 
    00200 0         0      deny ip from any to 127.0.0.0/8 
    00300 0         0      deny ip from 127.0.0.0/8 to any 
    08800 0         0      allow tcp from 127.0.0.1 to any

    Ryan> Rule 8800 will never match, thanks to 200 and 300, as those
    Ryan> are checked first. If IP is denied to and from the network
    Ryan> 127.0.0.0/8 (rules 200 and 300, respectively), then
    Ryan> certainly, TCP will not get through either. Don't read these
    Ryan> words and delete rules 200 and 300, though. :-)

First of all, thank you for your response. I understand 
what I was confused about now. But now I am intrigued by
your last remark. This is from the distribution /etc/rc.firewall:

############
# Only in rare cases do you want to change these rules
#
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any


<snip>
    Ryan> 8800 wouldn't match anyway, when you're browsing web sites
    Ryan> on other machines, because that traffic is not going through
    Ryan> 127.0.0.1 (or the loopback interface). It is being passed on
    Ryan> your public interface on a different (probably public) IP
    Ryan> address.

Exactly right. I was subconsciously (and irrationally!)
assuming that the two addresses are somehow identical
from ipfw's point of view.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200111040658.AAA22079>