ipfw ruleset traversal question
Alex de Kruijff
freebsd at akruijff.dds.nl
Sun Feb 29 17:26:13 PST 2004
On Sun, Feb 29, 2004 at 05:58:53PM -0500, Shaun T. Erickson wrote:
> I'm trying to port my linux netfilter/iptables firewall to 5.2.1-RESLEASE.
> Iptables has the concept of "chains". There are three defined by the
> system: INPUT, FORWARD & OUTPUT. Packets coming into the system that are
> destined for a local process traverse the INPUT chain only, packet
> generated by the system, and leaving it, traverse the OUTPUT chain only,
> and packets that are simply passing through the system traverse the
> FORWARD chain only. One nice benefit of this, is that inbound packets
> don't have to traverse rules for outbound packets and vice-versa. This
> allows efficient grouping of rules and reduces the performance hit of
> packets having to be checked by all rules.
> How can I set up my ipfw ruleset so that I can achieve that same benefit?
IPFW has one list of rules (with option to select in/out) that result in
the behavure as you describe. I have a example on my home page where i
select incomming and outging package. Forward is a action just like,
skipto, reject, allow and deny are. See man ipfw for more info.
Articles based on solutions that I use:
More information about the freebsd-questions