self-generated packet question
Earl A. Killian
earl at killian.com
Thu Apr 10 09:07:45 PDT 2003
Michael Sierchio writes:
> Date: Thu, 10 Apr 2003 08:41:08 -0700
> From: Michael Sierchio <kudzu at tenebras.com>
>
> They aren't received on any interface, no. They can be filtered
> on output (from me to any, etc.)
Thank you.
Background:
I'm writing a tool to generate an input to ipfw from a description of
the interfaces/nets on a gateway. Since it has to be general enough
to handle some unusual things about my own gateway, the existing
firewalls in /etc/rc.firewall are not quite sufficient.
> (presumably you already have an allow rule like allow ip from any to any via lo0).
/etc/rc.firewall has such a rule, except when firewall_type is a
filename. Since I'm using the latter, I need to generate something
like that. One purpose of my question was to understand where such a
rule had to go. I hope to have my generator generate both ipfw
firewalls and ipchains firewalls. As such, the first statement was
add skipto <OUTPUTRULE> all from any to any out
to mimic ipchains having separate input and output chains.
So, from what you said, it appears that the "via lo0" is only required
in the output rules.
More information about the freebsd-ipfw
mailing list