From owner-freebsd-stable Thu May 17 13: 6:59 2001 Delivered-To: freebsd-stable@freebsd.org Received: from imr2.ericy.com (imr2.ericy.com [12.34.240.68]) by hub.freebsd.org (Postfix) with ESMTP id 2272037B43C for ; Thu, 17 May 2001 13:06:50 -0700 (PDT) (envelope-from Antoine.Beaupre@ericsson.ca) Received: from mr6.exu.ericsson.se (mr6att.ericy.com [138.85.92.14]) by imr2.ericy.com (8.11.3/8.11.3) with ESMTP id f4HK6m806950 for ; Thu, 17 May 2001 15:06:49 -0500 (CDT) Received: from noah.lmc.ericsson.se (noah.lmc.ericsson.se [142.133.1.1]) by mr6.exu.ericsson.se (8.11.3/8.11.3) with ESMTP id f4HK6mD29972 for ; Thu, 17 May 2001 15:06:48 -0500 (CDT) Received: from lmc35.lmc.ericsson.se (lmc35.lmc.ericsson.se [142.133.16.175]) by noah.lmc.ericsson.se (8.11.2/8.9.2) with ESMTP id f4HK6lG27449 for ; Thu, 17 May 2001 16:06:47 -0400 (EDT) Received: by lmc35.lmc.ericsson.se with Internet Mail Service (5.5.2653.19) id ; Thu, 17 May 2001 16:06:47 -0400 Received: from lmc.ericsson.se (lmcpc100455.pc.lmc.ericsson.se [142.133.23.150]) by LMC37.lmc.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id JQDZR42A; Thu, 17 May 2001 16:06:40 -0400 From: "Antoine Beaupre (LMC)" To: stable@FreeBSD.ORG Message-ID: <3B042F4E.D1B583B0@lmc.ericsson.se> Date: Thu, 17 May 2001 16:06:38 -0400 Organization: LMC, Ericsson Research Canada X-Mailer: Mozilla 4.7 [en]C-CCK-MCD (WinNT; U) X-Accept-Language: en,fr-CA,fr MIME-Version: 1.0 Subject: Re: ipfw References: <002c01c0df0a$d4539b90$632807d8@prosser.bentonrea.org> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG [answers to be taken with a grain of salt, I'm not a wizard] Brandt Everett wrote: > > I think this is correct but can someone please verify with me > > Situtation: > I have a firewall with the following rules. > > ${fwcmd} add pass ip from ${net1} to ${net2} > ${fwcmd} add pass ip from ${net2} to ${net1} > > ${fwcmd} add divert natd all from any to any via ${natd_interface} > > Here is my question. If a packet matches one of the first two rules, does > it drop out of the rule set and continue on? Short answer, yes and no. Medium answer: it drops out of the rule set and does not continue in the ruleset. Long answer: if it matches the first or second, the packet is passed unaltered. > I know that the divert will > insert the packet back into the rule list on the next numbered rule. Yes. > Also, on a machine with two interfaces, is there somewhere I can find a > order for the process or is this right. You might like to take exemple on /etc/rc.firewall. I had trouble figuring it out at first, but try to make a copy of it a delete the lines that are irrelevent. For exemple, choose a "client" setup, and remove all other options. See what it looks like. > example: > > (incoming > packet)->(outsideif)->(ipfwrule)->(natd)->(ipfwrule)->(insideif)->continues > on... that would be a possible outcome. > (outgoing packet)<-(outsideif)<-(ipfwrul)<-(natd)<-(ipfwrule)<-(insideif)<- > starting packet.. That too. > Can someone help clear this up? I think you're right here. A. -- La sémantique est la gravité de l'abstraction. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message