From owner-freebsd-questions  Sat Nov  3 22:58:14 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from lcyoung.math.wisc.edu (lcyoung.math.wisc.edu [144.92.166.90])
	by hub.freebsd.org (Postfix) with ESMTP id A13F037B406
	for <freebsd-questions@FreeBSD.ORG>; Sat,  3 Nov 2001 22:58:11 -0800 (PST)
Received: from erdos.math.wisc.edu (erdos.math.wisc.edu [144.92.166.25])
	by lcyoung.math.wisc.edu (8.11.4/8.11.4) with ESMTP id fA46wBr28495;
	Sun, 4 Nov 2001 00:58:11 -0600 (CST)
Received: (from karp@localhost)
	by erdos.math.wisc.edu (8.9.3+Sun/8.9.3) id AAA22079;
	Sun, 4 Nov 2001 00:58:08 -0600 (CST)
Date: Sun, 4 Nov 2001 00:58:08 -0600 (CST)
Message-Id: <200111040658.AAA22079@erdos.math.wisc.edu>
X-Authentication-Warning: erdos.math.wisc.edu: karp set sender to karp@math.wisc.edu using -f
From: Anatoly Karp <karp@math.wisc.edu>
To: ryan@sasknow.com
Cc: freebsd-questions@FreeBSD.ORG
In-reply-to: <Pine.BSF.4.21.0111040035390.66878-100000@ren.sasknow.com>
	(message from Ryan Thompson on Sun, 4 Nov 2001 00:40:18 -0600 (CST))
Subject: Re: [Q] why does this ipfw rule not match?
References:  <Pine.BSF.4.21.0111040035390.66878-100000@ren.sasknow.com>
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

>>>>> "Ryan" == Ryan Thompson <ryan@sasknow.com> writes:

    Ryan> Anatoly Karp wrote to freebsd-questions@FreeBSD.ORG:
<snip>
    >> my-host:~# ipfw show 
    00100 341566 269400058 allow ip from any to any via lo0 
    00200 0         0      deny ip from any to 127.0.0.0/8 
    00300 0         0      deny ip from 127.0.0.0/8 to any 
    08800 0         0      allow tcp from 127.0.0.1 to any

    Ryan> Rule 8800 will never match, thanks to 200 and 300, as those
    Ryan> are checked first. If IP is denied to and from the network
    Ryan> 127.0.0.0/8 (rules 200 and 300, respectively), then
    Ryan> certainly, TCP will not get through either. Don't read these
    Ryan> words and delete rules 200 and 300, though. :-)

First of all, thank you for your response. I understand 
what I was confused about now. But now I am intrigued by
your last remark. This is from the distribution /etc/rc.firewall:

############
# Only in rare cases do you want to change these rules
#
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any


<snip>
    Ryan> 8800 wouldn't match anyway, when you're browsing web sites
    Ryan> on other machines, because that traffic is not going through
    Ryan> 127.0.0.1 (or the loopback interface). It is being passed on
    Ryan> your public interface on a different (probably public) IP
    Ryan> address.

Exactly right. I was subconsciously (and irrationally!)
assuming that the two addresses are somehow identical
from ipfw's point of view.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message