Dave McCammon <[EMAIL PROTECTED]> writes: > Here is a link to a thread that help me to understand > the in/out/recv/xmit stuff.
Thanks guys. I think I've "got" most of it now. Incoming packets are those entering the OS kernel implementing the ipfw firewall, but not necessarily those entering the ipfw firewall each time the kernel uses it. Outgoing packets are those leaving. Depending upon firewall config, the firewall can test packets one or two times as they enter the kernel, considering them as incoming, and one or two times as they exit the kernel, considering them as outgoing. (See ipfw diagram.) An exception is that when bridging, it tests packets only once, considering them as incoming only. (The latter based on my tests.) When it tests an incoming packet it doesn't try to predict which interface it will be transmitted on (not sure why, if NAT isn't on), so "in" rules don't match against an "xmit" interface. When it tests an outgoing packet, it knows which interface it was received on and which interface it will be transmitted on so "out" rules may match against both "recv" and "xmit" interfaces. Using "via if0" is like using three rules: "in recv if0", "out xmit if0", and "out recv if0". Using "out via if0" is like using two rules: "out xmit if0" and "out recv if0". Using "in via if0" is like using "in recv if0". I'm not claiming that the above is any better than the manpage; I'm just trying to quickly hang some simple "facts" out there to be shot down if untrue. (Maybe someday I'll set up a routing firewall to test more of them than I have yet.) _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
