clarification on /etc/rc.firewall ("in via ..." commands etc.)
Luigi Rizzo
rizzo at icir.org
Tue Jul 15 17:01:05 PDT 2003
Hi,
I was looking at /etc/rc.firewall, and noticed that there is a
number of rules with "... in via $ifname".
Looking at the ipfw1 code:
+ "in" only matches if a packet has a receive interface associated with it.
+ "via $ifname" matches
1) the xmit interface is one is associated with the packet, or
2) the receive interface if one is associated with the packet, or
3) it fails if no interfaces are associated with the packet.
So, my first question is where in our protocol stack we can have
packets with neither receive or xmit interfaces;
The second question is whether the sequence "in via $ifname"
should be replaced by "in recv $ifname" (which is in my opinion
makes it more clear which traffic is being matched.
cheers
luigi
More information about the freebsd-ipfw
mailing list