Can someone clarify ipfw's in/out/recv/xmit/via concepts?

Chuck Swiger cswiger at mac.com
Wed Jul 27 01:17:51 GMT 2005 

Gary W. Swearingen wrote:
[ ... ]
> The manpage says we have incoming and outgoing packets.
> In and out of what?

Into and out of the system.

> NIC or kernel or ipfw or computer?

Yes, all of those.

> The manpage describes:
>      recv | xmit | via {ifX | if* | ipno | any}
> 
> Is my "de0" an "ifX" or an "if*"?
> ("exact name" or "device name")

"de0" is an "ifX".

> What would be an example of the other?

"de*"?

> Does "ipno" mean an numerical Internet address?
> (It's not mentioned elsewhere in the manpage.)

I think so.

> Does each of my NICs have both of the manpage's xmit and recv
> interfaces, or is one an xmit and one a recv for any one packet rule?

Each of your NICs is logically a full-duplex device, which can both xmit and recv.

> If an incoming packet can be associated with an xmit interface, why
> can't an outgoing packet be associated with a recv interface?

A packet which was created on the machine does not have an interface which it 
was received on.  Packets which are being forwarded from other machines would 
have a recv interface.

> It seems that some people do their blocking of packets
> going from LAN to WAN "on" (so to speak) the LAN interface, some on
> the WAN interface, and some on both.  It doesn't seem to make much
> difference on a pure firewall, except for rule-writing convenience.
> Right?

That depends entirely upon the rules, it's not useful to make a generalization 
like that without a more specific context.

Normally, people should use the "xmit via ifX" syntax for pipe/queue rules to 
avoid counting traffic twice as the packets pass through, but they can also be 
used to ensure that, say, traffic to 127.0.0.1 only goes through lo0, and not 
through some external connection by someone trying to source-route in as localhost.

> I suppose it would be best to put blocks everywhere possible
> or at least "where" the packets enter the computer.  Right?

If you are creating a firewall, you need to create a network topology which 
permits you to control network access, which means restricting traffic which 
flows over well-defined choke points (ie, your external internet links).

-- 
-Chuck

More information about the freebsd-questions mailing list