From owner-freebsd-questions@freebsd.org Thu Jul 27 16:43:17 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F125FDAA790 for ; Thu, 27 Jul 2017 16:43:17 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-wr0-x243.google.com (mail-wr0-x243.google.com [IPv6:2a00:1450:400c:c0c::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 94A918225F for ; Thu, 27 Jul 2017 16:43:17 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: by mail-wr0-x243.google.com with SMTP id y67so23977423wrb.3 for ; Thu, 27 Jul 2017 09:43:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20161025; h=date:from:to:subject:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=1Soq7WcOb6+FbNW06LtYKAG85yOBT1Ca4iGs0fa2uI0=; b=ibwyJ7t94sw1Xd/85tlFJyCf0mg+ccbcPHc5qx2IlzOoTqRMQ6Y37d5PEp17fO2qz1 lWcKVFjRVTHF7UeB8FkeGZJWHGRyRo9rl7VAtS/Lc7r2uZyUnzcZfeeXTkfZzfscF28q /pCo1GQdVQbj0Rs3s7FuP3zmEYfMjEILViwNU+Qdxy+rmuia4wWo0CBKHQE+Ys0qlUKv XJdGFprJU7exerFjm0EeBgPaV9ck1oRzcvjflqG7Q2IisUdeknG7SXY+0GXmhq47KTar QWGSGorNilRYoJ/yVRfvLNK7gciWsYCJ3KzyDe/fyWD5kB/M1mGoOcThU8gRC0qPUmNa lQwA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=1Soq7WcOb6+FbNW06LtYKAG85yOBT1Ca4iGs0fa2uI0=; b=GqZyPlGm9M9SUcnUghzxpUqiJSfAlwAUCHya3S76Ugi6Wc/6628OxeOhWDAOSS1+mI bPyrMaQxI+arbXyV7U0YE4BfXRA8wC79Kq/c+KY0WKoFLzUnBH/PSXI61rDZHjMyAEUY 6oML66yArkDNlzPinKv8Sj0VkovxI1ZNx0fJUDuFBahUzXXtq3KoumYZFKWXi5Mx09Lt m6BhzSOcOOK3M140Y4vSmqZweQtRwOo0FaggeMw4DT+wcOs9w8r9RzYZvL5lnONlC1+G Rv+hOr0mWNn5cntZLNbzA+/Bs7d8PPxZZ9hyvE2J9ER56NQ55rCIlL5oiD3vpRl8vq+I OtCw== X-Gm-Message-State: AIVw113XsnFNW/fCUorcpmqYk5z8ddIVxvBAUGPWC2ChB7StxT9KcHGf SRCx01p6qjNnlAwW X-Received: by 10.223.156.25 with SMTP id f25mr4668453wrc.14.1501173795199; Thu, 27 Jul 2017 09:43:15 -0700 (PDT) Received: from gumby.homeunix.com ([81.17.24.158]) by smtp.gmail.com with ESMTPSA id e17sm15757756wma.19.2017.07.27.09.43.12 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 27 Jul 2017 09:43:14 -0700 (PDT) Date: Thu, 27 Jul 2017 17:43:08 +0100 From: RW To: freebsd-questions@freebsd.org Subject: Re: Question regarding IPFW manual page description Message-ID: <20170727174308.57f6506c@gumby.homeunix.com> In-Reply-To: References: X-Mailer: Claws Mail 3.15.0 (GTK+ 2.24.31; amd64-portbld-freebsd10.3) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Jul 2017 16:43:18 -0000 On Thu, 27 Jul 2017 12:23:33 -0400 Makketron wrote: > Hello, > According to https://www.freebsd.org/cgi/man.cgi?ipfw(8) , we have: > > "Also note that each packet is always checked against the complete > rule- set, irrespective of the place where the check occurs, or the > source of the packet." > > > According to > https://www.freebsd.org/doc/handbook/firewalls-ipfw.html , we have: > > When a packet enters the IPFW firewall, it is compared against the > first rule in the ruleset and progresses one rule at a time, moving > from top to bottom in sequence. When the packet matches the selection > parameters of a rule, the rule's action is executed and the search of > the ruleset terminates for that packet. ... > > > So in the manual pages, when it is said that packet is ALWAYS checked > against the COMPLETE ruleset, I understand that if packet matches > rule A, it will still be compared against the remaining rule sets, > which raises the question, if two rules match, which one wins. Just above that it says: "A packet is checked against the active ruleset in multiple places in the protocol stack, under control of several sysctl variables." My reading is that by "complete ruleset" it means that it's not selective about which rules run at which place in the stack.