Date: Thu, 17 May 2001 13:46:57 -0700 From: "Brandt Everett" <everett@bentonrea.com> To: "'Antoine Beaupre (LMC)'" <Antoine.Beaupre@ericsson.ca>, <stable@FreeBSD.ORG> Subject: RE: ipfw Message-ID: <002d01c0df12$83fc0170$632807d8@prosser.bentonrea.org> In-Reply-To: <3B042F4E.D1B583B0@lmc.ericsson.se>
next in thread | previous in thread | raw e-mail | index | archive | help
[I perfer pepper]
Ok, I just wanted to make sure that I was thinking right before I went to
hang myself. I was pretty sure it was a problem in my rule set.
Thanks.
Brandt Everett
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
phone: 1-800-398-1232 x 234
webpage: www.bentonrea.com
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> -----Original Message-----
> From: owner-freebsd-stable@FreeBSD.ORG
> [mailto:owner-freebsd-stable@FreeBSD.ORG]On Behalf Of Antoine Beaupre
> (LMC)
> Sent: Thursday, May 17, 2001 1:07 PM
> To: stable@FreeBSD.ORG
> Subject: Re: ipfw
>
>
> [answers to be taken with a grain of salt, I'm not a wizard]
>
> Brandt Everett wrote:
> >
> > I think this is correct but can someone please verify with me
> >
> > Situtation:
> > I have a firewall with the following rules.
> >
> > ${fwcmd} add pass ip from ${net1} to ${net2}
> > ${fwcmd} add pass ip from ${net2} to ${net1}
> >
> > ${fwcmd} add divert natd all from any to any via
> ${natd_interface}
> >
> > Here is my question. If a packet matches one of the first
> two rules, does
> > it drop out of the rule set and continue on?
>
> Short answer, yes and no.
>
> Medium answer: it drops out of the rule set and does not
> continue in the
> ruleset.
>
> Long answer: if it matches the first or second, the packet is passed
> unaltered.
>
> > I know that the divert will
> > insert the packet back into the rule list on the next numbered rule.
>
> Yes.
>
> > Also, on a machine with two interfaces, is there somewhere
> I can find a
> > order for the process or is this right.
>
> You might like to take exemple on /etc/rc.firewall.
>
> I had trouble figuring it out at first, but try to make a copy of it a
> delete the lines that are irrelevent. For exemple, choose a "client"
> setup, and remove all other options.
>
> See what it looks like.
>
> > example:
> >
> > (incoming
> >
> packet)->(outsideif)->(ipfwrule)->(natd)->(ipfwrule)->(insidei
> f)->continues
> > on...
>
> that would be a possible outcome.
>
> > (outgoing
> packet)<-(outsideif)<-(ipfwrul)<-(natd)<-(ipfwrule)<-(insideif)<-
> > starting packet..
>
> That too.
>
> > Can someone help clear this up?
>
> I think you're right here.
>
> A.
> --
> La sémantique est la gravité de l'abstraction.
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-stable" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002d01c0df12$83fc0170$632807d8>