Date: Sat, 10 Mar 2001 12:29:39 -0500 From: "Patrick Bihan-Faou" <patrick@netzuno.com> To: <freebsd-ipfw@freebsd.org> Subject: RE: interface specification extension for ipfw Message-ID: <HJEEKLMFLKEOKHOKNPBMIENDCLAA.patrick@netzuno.com> In-Reply-To: <20010309233505.B50418@rfx-216-196-73-168.users.reflex>
next in thread | previous in thread | raw e-mail | index | archive | help
OK,
I have done a couple of experiments, and now I am confused.
The statement in the manpage (regarding whether or not the interface
information is set) seems to be incorrect.
00001 483 113807 count ip from any to any
00002 245 17088 count ip from any to any in
00003 25 3887 count ip from any to any in recv rl0
00004 218 12895 count ip from any to any in recv rl1
00005 2 306 count ip from any to any in recv lo0
00006 245 17088 count ip from any to any in recv any
00007 238 96719 count ip from any to any out
00008 22 3536 count ip from any to any out recv rl0
00009 23 1166 count ip from any to any out recv rl1
00010 0 0 count ip from any to any out recv lo0
00011 45 4702 count ip from any to any out recv any
00012 25 1309 count ip from any to any out xmit rl0
00013 211 95104 count ip from any to any out xmit rl1
00014 2 306 count ip from any to any out xmit lo0
00015 238 96719 count ip from any to any out xmit any
00016 0 0 count ip from any to any out recv rl0 xmit rl0
00017 22 3536 count ip from any to any out recv rl0 xmit rl1
00018 0 0 count ip from any to any out recv rl0 xmit lo0
00019 22 3536 count ip from any to any out recv rl0 xmit any
00020 23 1166 count ip from any to any out recv rl1 xmit rl0
00021 0 0 count ip from any to any out recv rl1 xmit rl1
00022 0 0 count ip from any to any out recv rl1 xmit lo0
00023 23 1166 count ip from any to any out recv rl1 xmit any
00024 0 0 count ip from any to any out recv lo0 xmit rl0
00025 0 0 count ip from any to any out recv lo0 xmit rl1
00026 0 0 count ip from any to any out recv lo0 xmit lo0
00027 0 0 count ip from any to any out recv lo0 xmit any
00028 23 1166 count ip from any to any out recv any xmit rl0
00029 22 3536 count ip from any to any out recv any xmit rl1
00030 0 0 count ip from any to any out recv any xmit lo0
00031 45 4702 count ip from any to any out recv any xmit any
These traces seem to suggest that no packets are ever passed to the firewall
rules without proper interface information. I certainly cannot confirm that
the following statement is valid in a reliable way:
A packet may not have a receive or transmit interface: packets
originating from the local host have no receive interface, while
packets destined for the local host have no transmit interface.
For rules with the "in" keyword, I cannot find any packet that don't have
the "recv" interface information set (count for rule #2 == #6 == #3 + #4 +
#5).
For rules with the "out" keyword, the xmit interface is also always
indicated (#7 == #15 == #12 + #13 + #14).
However rules with the "out" keyword may loose the "recv" interface
information (#7 != #11). I first thought that maybe the diversion to natd
was causing this (not shown in the above snippet), but the number of packets
that have been diverted is equal to the number of packets that have "recv"
interface information with the "out" keyword (rule #11).
The test traffic included pings from the host, going through the host (this
is my router to the internet), from the host to the host itself.
I am getting increasingly confused with all of this, and any word of wisdom
would be greatly appreciated.
Specifically:
- is it possible to have no "recv" interface with the "in" keyword ?
- what makes the "recv" interface information unavailable for "out" rules ?
Could it be that locally generated packets are never subjected to the "in"
rules ?
Thanks in advance!
Patrick.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?HJEEKLMFLKEOKHOKNPBMIENDCLAA.patrick>