Date: Mon, 30 Apr 2018 10:48:36 -0700 From: Jeff Kletsky <freebsd@wagsky.com> To: freebsd-net@freebsd.org Subject: ipfw -- selecting locally generated packets Message-ID: <979d3478-4bec-e6a1-41cd-bb26beb93123@wagsky.com>
next in thread | raw e-mail | index | archive | help
From time to time, I rewrite my firewall rules to take advantages of the ever-improving set of features that ipfw provides. One of the challenges I have faced in the past was selecting packets that are generated on the firewall host itself, as opposed to those that it received through an interface. While I find most of the Linux firewall implementations untenable for a variety of reasons, it does provide differentiation between what they call "OUTPUT" and "FORWARD". I'm looking to see if there is a "better" way to implement this kind of selection with the 11.1 version of ipfw. "out and not in" may years ago seemed an obvious selector, and it's good to see that it is now clearly documented that it doesn't work in "man ipfw" with "(in fact, out is implemented as not in)". "not recv any" doesn't seem to be helpful either $ sudo ipfw add 64000 count ip from any to any out xmit any not recv any 64000 count ip from any to any out In the past, I've tagged all incoming packets and used that tag to differentiate between the two. Is there something "cleaner" (or perhaps clearer) that using a tag in that way? TIA, Jeff
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?979d3478-4bec-e6a1-41cd-bb26beb93123>