Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 9 Mar 2001 23:35:05 -0800
From:      "Crist J. Clark" <cjclark@reflexnet.net>
To:        Patrick Bihan-Faou <patrick@netzuno.com>
Cc:        freebsd-ipfw@FreeBSD.ORG
Subject:   Re: interface specification extension for ipfw
Message-ID:  <20010309233505.B50418@rfx-216-196-73-168.users.reflex>
In-Reply-To: <HJEEKLMFLKEOKHOKNPBMKEMNCLAA.patrick@netzuno.com>; from patrick@netzuno.com on Fri, Mar 09, 2001 at 07:25:49PM -0500
References:  <HJEEKLMFLKEOKHOKNPBMKEMNCLAA.patrick@netzuno.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Fri, Mar 09, 2001 at 07:25:49PM -0500, Patrick Bihan-Faou wrote:
> Hi,
> 
> I am currently building a firewall using ipfw, and I am facing a small
> issue. In order to group my rules in some meaningfull way (to me), the first
> thing I do is split the packets per interface. Depending on the recv
> interface, I go to a different region of the ruleset using "skipto".
> Now, according to the ipfw man page, packets generated by or destined to the
> local host will not have recv or xmit interface information respectively.
> 
> This make it a bit difficult to separate the traffic for the localhost from
> the rest. 

Well, you said you want to group traffic by recv interface. I don't
see what is tough about that. If you have three intefaces, if[012],

01000  skipto 20000 ip from any to any recv if0
01100  skipto 30000 ip from any to any recv if1
01200  skipto 40000 ip from any to any recv if2
10000  [start of rules for traffic generated by this host]

Anything that is not passed by these three is traffic that was not
received by any interface, i.e. traffic generated by the machine.

Now, the second problem, separating traffic _too_ the host. Trying to
use interface information to figure out which traffic is destined for
this host is kind of awkward. How does the machine figure out which
interface the packet would (or would not) go to? It checks the IP
address of the datagram and then looks at the routing table. Why don't
you take the more direct approach and just check the destination IP of
the datagram to determine what is meant for this host?
-- 
Crist J. Clark                           cjclark@alum.mit.edu

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010309233505.B50418>