Another bug in IPFW@ ...?

Oliver Fromme olli at
Thu Jul 28 16:59:48 GMT 2005


I have created an IPFW2 rule set on a router (no NAT).
In one of the rules I wanted to pass packets originating
from the local host (i.e. non-routed) out through a
specific interface, i.e. packets that have _not_ been
received on some interface.

The manual page ipfw(8) says that "recv any" matches
all packets received on some interface, so the logical
conclusion is that "not recv any" would match packets
originating from the host.  However, this clause is
ignored completely:

# ipfw add pass ip from $A to $N out not recv any xmit xl0
00900 allow ip from $A to $N out xmit xl0

As you can see, the "not recv any" is ignored.  It doesn't
show up in subsequent "ipfw list" output either.

Is this a bug in ipfw?  Or is the documentation inaccurate?
How do I match packets like this that originate from the
local host, i.e. that don't have a receive interface?
(Note that the source IP might be spoofed, so only checking
the source IP is not a solution.)

Best regards

PS:  This is probably not important, but anyway:

$A is the local IP address of the xl0 interface, and $N
is the network connected to that interface, exluding $A.
For example:

$A =
$N ={2-30}

