Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 17 May 2001 16:06:38 -0400
From:      "Antoine Beaupre (LMC)" <Antoine.Beaupre@ericsson.ca>
To:        stable@FreeBSD.ORG
Subject:   Re: ipfw
Message-ID:  <3B042F4E.D1B583B0@lmc.ericsson.se>
References:  <002c01c0df0a$d4539b90$632807d8@prosser.bentonrea.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

[answers to be taken with a grain of salt, I'm not a wizard]

Brandt Everett wrote:
> 
> I think this is correct but can someone please verify with me
> 
> Situtation:
>         I have a firewall with the following rules.
> 
>         ${fwcmd} add pass ip from ${net1} to ${net2}
>         ${fwcmd} add pass ip from ${net2} to ${net1}
> 
>         ${fwcmd} add divert natd all from any to any via ${natd_interface}
> 
> Here is my question.  If a packet matches one of the first two rules, does
> it drop out of the rule set and continue on? 

Short answer, yes and no.

Medium answer: it drops out of the rule set and does not continue in the
ruleset.

Long answer: if it matches the first or second, the packet is passed
unaltered.

> I know that the divert will
> insert the packet back into the rule list on the next numbered rule.

Yes.
 
> Also, on a machine with two interfaces, is there somewhere I can find a
> order for the process or is this right.

You might like to take exemple on /etc/rc.firewall.

I had trouble figuring it out at first, but try to make a copy of it a
delete the lines that are irrelevent. For exemple, choose a "client"
setup, and remove all other options.

See what it looks like.
 
> example:
> 
> (incoming
> packet)->(outsideif)->(ipfwrule)->(natd)->(ipfwrule)->(insideif)->continues
> on...

that would be a possible outcome.
 
> (outgoing packet)<-(outsideif)<-(ipfwrul)<-(natd)<-(ipfwrule)<-(insideif)<-
> starting packet..

That too.
 
> Can someone help clear this up?

I think you're right here.

A.
--
La sémantique est la gravité de l'abstraction.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B042F4E.D1B583B0>