Hi all,
For my question please reference the handbook tutorial of IPFW.
https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html
What exactly does this rule for the LAN interface do?
$cmd 00005 allow all from any to any via xl0
This rule is above all the outbound rules for allowing access out to the internet. My understanding is that once a packet matches "allow" it will allow it and stop processing any other rules for that packet. So a packet originating on the LAN side intended for the internet will hit this rule before any of the rules allowing access to the internet. Also gateway_enable is set to "YES" so the interfaces can forward traffic to each other. The default route is in the routing table. So with that in mind, a packet originating from the LAN should hit this rule, be forwarded to the public interface, and go straight out to the internet. It's already been allowed so it would really never hit any of the outbound rules below. However in the example, they have all sorts of outbound rules below. Can someone explain this rule a little better?
Forgive me as I'm used to chains where everything is either intended for the machine, originating from the machine, or routed through the machine.
For my question please reference the handbook tutorial of IPFW.
https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html
What exactly does this rule for the LAN interface do?
$cmd 00005 allow all from any to any via xl0
This rule is above all the outbound rules for allowing access out to the internet. My understanding is that once a packet matches "allow" it will allow it and stop processing any other rules for that packet. So a packet originating on the LAN side intended for the internet will hit this rule before any of the rules allowing access to the internet. Also gateway_enable is set to "YES" so the interfaces can forward traffic to each other. The default route is in the routing table. So with that in mind, a packet originating from the LAN should hit this rule, be forwarded to the public interface, and go straight out to the internet. It's already been allowed so it would really never hit any of the outbound rules below. However in the example, they have all sorts of outbound rules below. Can someone explain this rule a little better?
Forgive me as I'm used to chains where everything is either intended for the machine, originating from the machine, or routed through the machine.