Another bug in IPFW@ ...?

Oliver Fromme olli at
Thu Jul 28 16:59:48 GMT 2005


I have created an IPFW2 rule set on a router (no NAT).
In one of the rules I wanted to pass packets originating
from the local host (i.e. non-routed) out through a
specific interface, i.e. packets that have _not_ been
received on some interface.

The manual page ipfw(8) says that "recv any" matches
all packets received on some interface, so the logical
conclusion is that "not recv any" would match packets
originating from the host.  However, this clause is
ignored completely:

# ipfw add pass ip from $A to $N out not recv any xmit xl0
00900 allow ip from $A to $N out xmit xl0

As you can see, the "not recv any" is ignored.  It doesn't
show up in subsequent "ipfw list" output either.

Is this a bug in ipfw?  Or is the documentation inaccurate?
How do I match packets like this that originate from the
local host, i.e. that don't have a receive interface?
(Note that the source IP might be spoofed, so only checking
the source IP is not a solution.)

Best regards

PS:  This is probably not important, but anyway:

$A is the local IP address of the xl0 interface, and $N
is the network connected to that interface, exluding $A.
For example:

$A =
$N ={2-30}

PPS:  I read the mailing list, so please do not Cc me.

Oliver Fromme,  secnetix GmbH & Co KG, Marktplatz 29, 85567 Grafing
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

"anyone new to programming should be kept as far from C++ as
possible;  actually showing the stuff should be considered a
criminal offence" -- Jacek Generowicz

More information about the freebsd-ipfw mailing list