ipfw ruleset traversal question

Alex de Kruijff freebsd at akruijff.dds.nl
Sun Feb 29 17:26:13 PST 2004

On Sun, Feb 29, 2004 at 05:58:53PM -0500, Shaun T. Erickson wrote:
> I'm trying to port my linux netfilter/iptables firewall to 5.2.1-RESLEASE.
> Iptables has the concept of "chains". There are three defined by the 
> system: INPUT, FORWARD & OUTPUT. Packets coming into the system that are 
> destined for a local process traverse the INPUT chain only, packet 
> generated by the system, and leaving it, traverse the OUTPUT chain only, 
> and packets that are simply passing through the system traverse the 
> FORWARD chain only. One nice benefit of this, is that inbound packets 
> don't have to traverse rules for outbound packets and vice-versa. This 
> allows efficient grouping of rules and reduces the performance hit of 
> packets having to be checked by all rules.
> How can I set up my ipfw ruleset so that I can achieve that same benefit?

IPFW has one list of rules (with option to select in/out) that result in
the behavure as you describe. I have a example on my home page where i
select incomming and outging package. Forward is a action just like,
skipto, reject, allow and deny are. See man ipfw for more info.


Articles based on solutions that I use:

More information about the freebsd-questions mailing list