From owner-freebsd-questions@FreeBSD.ORG Sun Jul 24 11:10:14 2005 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1309516A41F for ; Sun, 24 Jul 2005 11:10:14 +0000 (GMT) (envelope-from gouders@et.bocholt.fh-gelsenkirchen.de) Received: from alice.et.bocholt.fh-gelsenkirchen.de (alice.et.bocholt.fh-gelsenkirchen.de [193.175.197.63]) by mx1.FreeBSD.org (Postfix) with ESMTP id ECC2943D45 for ; Sun, 24 Jul 2005 11:10:06 +0000 (GMT) (envelope-from gouders@et.bocholt.fh-gelsenkirchen.de) Received: from musashi.et.bocholt.fh-gelsenkirchen.de (musashi.et.bocholt.fh-gelsenkirchen.de [193.175.197.95]) by alice.et.bocholt.fh-gelsenkirchen.de (8.12.9/8.12.9) with ESMTP id j6OBA3eD019601 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for ; Sun, 24 Jul 2005 13:10:04 +0200 Received: from karga.hank.home ([10.8.0.6]) by musashi.et.bocholt.fh-gelsenkirchen.de (8.13.3/8.13.3) with ESMTP id j6OBA2nc081022 for ; Sun, 24 Jul 2005 13:10:02 +0200 (CEST) (envelope-from hank@karga.hank.home) Received: from localhost (localhost [127.0.0.1]) by karga.hank.home (8.13.3/8.13.3) with ESMTP id j6OBCdVx095354 for ; Sun, 24 Jul 2005 13:12:40 +0200 (CEST) (envelope-from hank@karga.hank.home) Message-Id: <200507241112.j6OBCdVx095354@karga.hank.home> To: questions@freebsd.org In-Reply-To: Message from Chuck Swiger of "Fri, 22 Jul 2005 04:52:56 EDT." <42E0B3E8.8030000@mac.com> Date: Sun, 24 Jul 2005 13:12:39 +0200 From: Dirk GOUDERS X-Scanned-By: MIMEDefang 2.43 Cc: Subject: Re: ipfw and tun0 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Jul 2005 11:10:14 -0000 > >>> I just started to use an ADSL line with PPPoE and want run a firewall > >>> between it and my local network. What I am wondering about is that even > >>> if I only have the default everything-blocking rule (deny ip from any to > >>> any) I still see incoming packets on tun0 with tcpdump. > > If you are using PPPoE, the system de-encapsulates the IP traffic off of the > PPP session via the tun0 interface. tun0 can be treated as your "external > interface" when writing firewall rules, setting up NAT, etc. Well, I am a little bit confused, because usually, I run machines with "real" NICs and if I activate firewall rules that drop packets from that NIC, I can run tcpdump on that NIC and will not see the dropped packets. This is the naive view, I have about this: NIC device (e.g. xl0) ----------------------------------------------------- packets -> packets -> ... packets -> packets -> ----------------------------------------------------- ^ ^ | | Here, ipfw checks Here, tcpdump listens the packets against and doesn't see dropped its rules and probably packets drops packets In the case of tun0, this order seems to be reverse... > Right. This implies that the firewall rules are working. If you > want to see what the situation looks like to a client machine > behind the firewall, either tcpdump on a client machine, or tcpdump > on the internal interface of the firewall box... Does that mean, that there is no way, to inspect the network traffic from tun0 after it has been "cleaned up" by ipfw and that is not forwarded to the internal NIC? Dirk