From owner-freebsd-stable Thu May 17 13:47:31 2001 Delivered-To: freebsd-stable@freebsd.org Received: from greyhound.bentonrea.com (mail.bentonrea.com [12.18.240.4]) by hub.freebsd.org (Postfix) with ESMTP id 788A537B423 for ; Thu, 17 May 2001 13:47:24 -0700 (PDT) (envelope-from everett@bentonrea.com) Received: from everett (everett.bentonrea.com [216.7.40.99]) by greyhound.bentonrea.com (8.9.3/8.9.3) with SMTP id NAA15329; Thu, 17 May 2001 13:47:07 -0700 From: "Brandt Everett" To: "'Antoine Beaupre (LMC)'" , Subject: RE: ipfw Date: Thu, 17 May 2001 13:46:57 -0700 Message-ID: <002d01c0df12$83fc0170$632807d8@prosser.bentonrea.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: <3B042F4E.D1B583B0@lmc.ericsson.se> Importance: Normal Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: X-Loop: FreeBSD.ORG [I perfer pepper] Ok, I just wanted to make sure that I was thinking right before I went to hang myself. I was pretty sure it was a problem in my rule set. Thanks. Brandt Everett -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- phone: 1-800-398-1232 x 234 webpage: www.bentonrea.com -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > -----Original Message----- > From: owner-freebsd-stable@FreeBSD.ORG > [mailto:owner-freebsd-stable@FreeBSD.ORG]On Behalf Of Antoine Beaupre > (LMC) > Sent: Thursday, May 17, 2001 1:07 PM > To: stable@FreeBSD.ORG > Subject: Re: ipfw > > > [answers to be taken with a grain of salt, I'm not a wizard] > > Brandt Everett wrote: > > > > I think this is correct but can someone please verify with me > > > > Situtation: > > I have a firewall with the following rules. > > > > ${fwcmd} add pass ip from ${net1} to ${net2} > > ${fwcmd} add pass ip from ${net2} to ${net1} > > > > ${fwcmd} add divert natd all from any to any via > ${natd_interface} > > > > Here is my question. If a packet matches one of the first > two rules, does > > it drop out of the rule set and continue on? > > Short answer, yes and no. > > Medium answer: it drops out of the rule set and does not > continue in the > ruleset. > > Long answer: if it matches the first or second, the packet is passed > unaltered. > > > I know that the divert will > > insert the packet back into the rule list on the next numbered rule. > > Yes. > > > Also, on a machine with two interfaces, is there somewhere > I can find a > > order for the process or is this right. > > You might like to take exemple on /etc/rc.firewall. > > I had trouble figuring it out at first, but try to make a copy of it a > delete the lines that are irrelevent. For exemple, choose a "client" > setup, and remove all other options. > > See what it looks like. > > > example: > > > > (incoming > > > packet)->(outsideif)->(ipfwrule)->(natd)->(ipfwrule)->(insidei > f)->continues > > on... > > that would be a possible outcome. > > > (outgoing > packet)<-(outsideif)<-(ipfwrul)<-(natd)<-(ipfwrule)<-(insideif)<- > > starting packet.. > > That too. > > > Can someone help clear this up? > > I think you're right here. > > A. > -- > La sémantique est la gravité de l'abstraction. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message