Question regarding IPFW manual page description
RW
rwmaillists at googlemail.com
Thu Jul 27 16:43:18 UTC 2017
On Thu, 27 Jul 2017 12:23:33 -0400
Makketron wrote:
> Hello,
> According to https://www.freebsd.org/cgi/man.cgi?ipfw(8) , we have:
>
> "Also note that each packet is always checked against the complete
> rule- set, irrespective of the place where the check occurs, or the
> source of the packet."
>
>
> According to
> https://www.freebsd.org/doc/handbook/firewalls-ipfw.html , we have:
>
> When a packet enters the IPFW firewall, it is compared against the
> first rule in the ruleset and progresses one rule at a time, moving
> from top to bottom in sequence. When the packet matches the selection
> parameters of a rule, the rule's action is executed and the search of
> the ruleset terminates for that packet. ...
>
>
> So in the manual pages, when it is said that packet is ALWAYS checked
> against the COMPLETE ruleset, I understand that if packet matches
> rule A, it will still be compared against the remaining rule sets,
> which raises the question, if two rules match, which one wins.
Just above that it says:
"A packet is checked against the active ruleset in multiple places in
the protocol stack, under control of several sysctl variables."
My reading is that by "complete ruleset" it means that it's not
selective about which rules run at which place in the stack.
More information about the freebsd-questions
mailing list