From owner-freebsd-hackers Thu Jul 10 16:16:46 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id QAA04263 for hackers-outgoing; Thu, 10 Jul 1997 16:16:46 -0700 (PDT) Received: from panda.hilink.com.au (panda.hilink.com.au [203.8.15.25]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA04258 for ; Thu, 10 Jul 1997 16:16:41 -0700 (PDT) Received: (from danny@localhost) by panda.hilink.com.au (8.8.5/8.8.5) id JAA12507; Fri, 11 Jul 1997 09:15:06 +1000 (EST) Date: Fri, 11 Jul 1997 09:15:05 +1000 (EST) From: "Daniel O'Callaghan" To: Charles Owens cc: hackers list FreeBSD , ari.suutari@ps.carel.fi Subject: Re: ipfw rules processing order when DIVERTing In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk ipfw rules are parsed by rule number. You also need to remember that packets are subjected to ipfw scrutiny on their way IN and on their way OUT. Packets originating on the firewall machine are only seen going OUT, and packets arriving at the firewall machine are only seen coming IN. Forwarded packets are seen going IN and OUT. A rule 00100 pass icmp from any to any will see icmp packets going through the machine twice (look at 'ipfw -a list' and you'll see twice as many packets as you expect. To reduce confusion, you can specify the direction of the packet to be matched, e.g. 00200 pass icmp from any to any in When diverting packets, I always specify the direction, and often the interface. 00200 divert 1 tcp from any 80 to 1.2.3.4 in via de0 Of course, that only clarifies things for that rule, and the reinserted packet is still tested against all rules until a match is found. Danny /* Daniel O'Callaghan */ /* HiLink Internet danny@hilink.com.au */ /* FreeBSD - works hard, plays hard... danny@freebsd.org */