Date: Fri, 11 Jul 1997 09:15:05 +1000 (EST) From: "Daniel O'Callaghan" <danny@panda.hilink.com.au> To: Charles Owens <owensc@enc.edu> Cc: hackers list FreeBSD <freebsd-hackers@FreeBSD.ORG>, ari.suutari@ps.carel.fi Subject: Re: ipfw rules processing order when DIVERTing Message-ID: <Pine.BSF.3.91.970711090753.869K-100000@panda.hilink.com.au> In-Reply-To: <Pine.FBS.3.93.970710121015.10980C-100000@dingo.its.enc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
ipfw rules are parsed by rule number. You also need to remember that packets are subjected to ipfw scrutiny on their way IN and on their way OUT. Packets originating on the firewall machine are only seen going OUT, and packets arriving at the firewall machine are only seen coming IN. Forwarded packets are seen going IN and OUT. A rule 00100 pass icmp from any to any will see icmp packets going through the machine twice (look at 'ipfw -a list' and you'll see twice as many packets as you expect. To reduce confusion, you can specify the direction of the packet to be matched, e.g. 00200 pass icmp from any to any in When diverting packets, I always specify the direction, and often the interface. 00200 divert 1 tcp from any 80 to 1.2.3.4 in via de0 Of course, that only clarifies things for that rule, and the reinserted packet is still tested against all rules until a match is found. Danny /* Daniel O'Callaghan */ /* HiLink Internet <http://www.hilink.com.au/>; danny@hilink.com.au */ /* FreeBSD - works hard, plays hard... danny@freebsd.org */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.970711090753.869K-100000>