From owner-freebsd-net@freebsd.org Mon Apr 30 17:53:59 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AF72DFB1F7A for ; Mon, 30 Apr 2018 17:53:59 +0000 (UTC) (envelope-from jmk@wagsky.com) Received: from mx.allycomm.com (mx.allycomm.com [138.68.30.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 511697C5A8 for ; Mon, 30 Apr 2018 17:53:59 +0000 (UTC) (envelope-from jmk@wagsky.com) Received: from JKLETSKY1-MBP15.local (184-23-191-38.vpn.dynamic.sonic.net [184.23.191.38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.allycomm.com (Postfix) with ESMTPSA id 12E3D2369A; Mon, 30 Apr 2018 10:48:36 -0700 (PDT) To: freebsd-net@freebsd.org From: Jeff Kletsky Subject: ipfw -- selecting locally generated packets Message-ID: <979d3478-4bec-e6a1-41cd-bb26beb93123@wagsky.com> Date: Mon, 30 Apr 2018 10:48:36 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Apr 2018 17:53:59 -0000 From time to time, I rewrite my firewall rules to take advantages of the ever-improving set of features that ipfw provides. One of the challenges I have faced in the past was selecting packets that are generated on the firewall host itself, as opposed to those that it received through an interface. While I find most of the Linux firewall implementations untenable for a variety of reasons, it does provide differentiation between what they call "OUTPUT" and "FORWARD". I'm looking to see if there is a "better" way to implement this kind of selection with the 11.1 version of ipfw. "out and not in" may years ago seemed an obvious selector, and it's good to see that it is now clearly documented that it doesn't work in "man ipfw" with "(in fact, out is implemented as not in)". "not recv any" doesn't seem to be helpful either     $ sudo ipfw add 64000 count ip from any to any out xmit any not recv any     64000 count ip from any to any out In the past, I've tagged all incoming packets and used that tag to differentiate between the two. Is there something "cleaner" (or perhaps clearer) that using a tag in that way? TIA, Jeff